CVE-2021-34523

CRITICAL KEV RANSOMWARE

Microsoft Exchange Server - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-34523 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including mithridates1313, SUPRAAA-1337, Orange Tsai, Jang (@testanull), PeterJson, brandonshi123, mekhalleh (RAMELLA Sébastien), Donny Maasland, Rich Warren, Spencer McIntyre, wvu, including a Metasploit module exploits/windows/http/exchange_proxyshell_rce.

AI-analyzed exploit summary The repository contains a Python script that scans for the ProxyShell vulnerability (CVE-2021-34523) by sending a crafted HTTP request to the target and checking for a specific response pattern. It does not include exploit code for achieving RCE but confirms vulnerability presence.

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploits (9)

nomisec SCANNER 16 stars
by mithridates1313 · infoleak
https://github.com/mithridates1313/ProxyShell_POC

The repository contains a Python script that scans for the ProxyShell vulnerability (CVE-2021-34523) by sending a crafted HTTP request to the target and checking for a specific response pattern. It does not include exploit code for achieving RCE but confirms vulnerability presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Exchange Server (versions affected by ProxyShell)
No auth needed
Prerequisites: Network access to the target Exchange server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 2 stars
by SUPRAAA-1337 · infoleak
https://github.com/SUPRAAA-1337/CVE-2021-34523

The repository contains a Nuclei template for detecting CVE-2021-34523, an elevation of privilege vulnerability in Microsoft Exchange Server. It sends a crafted HTTP request to the autodiscover endpoint and checks for specific response patterns (302 redirect and 'errorfe.aspx') to identify vulnerable systems.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: Network access to the target Exchange Server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Orange Tsai, Jang (@testanull), PeterJson, brandonshi123, mekhalleh (RAMELLA Sébastien), Donny Maasland, Rich Warren, Spencer McIntyre, wvu · rubypocwindows
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb

This Metasploit module exploits CVE-2021-34473, a vulnerability in Microsoft Exchange Server that allows an attacker to bypass authentication, impersonate an arbitrary user, and write an arbitrary file to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2013 CU23 < 15.0.1497.15, 2016 CU19 < 15.1.2176.12, 2016 CU20 < 15.1.2242.5, 2019 CU8 < 15.2.792.13, 2019 CU9 < 15.2.858.9)
No auth needed
Prerequisites: Network access to the target Exchange Server · A known email address for the organization (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by horizon3ai · remote
https://github.com/horizon3ai/proxyshell

This repository contains a functional exploit for the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting Microsoft Exchange Server. The exploit automates the attack chain, including enumeration of emails and LegacyDNs from Active Directory, and handles load-balanced environments.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (various versions including 2013, 2016, and 2019)
No auth needed
Prerequisites: Network access to vulnerable Exchange Server · Python environment with required dependencies
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by aravazhimdr · remote
https://github.com/aravazhimdr/ProxyShell-POC-Mod

This repository contains a functional exploit for ProxyShell (CVE-2021-34523), combining elements from two prior PoCs to achieve remote code execution on Microsoft Exchange servers. It leverages authentication bypass and arbitrary file write vulnerabilities to execute PowerShell commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2016, 2019)
No auth needed
Prerequisites: Network access to Exchange server · Exchange server exposed to the internet or accessible via proxy
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by Udyz · remote
https://github.com/Udyz/proxyshell-auto

This repository contains a functional exploit for CVE-2021-34523 (ProxyShell), which chains authentication bypass and arbitrary file write vulnerabilities in Microsoft Exchange Server to achieve remote code execution. The exploit automates the process of obtaining a token, writing a webshell, and executing commands as SYSTEM.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2013, 2016, 2019)
No auth needed
Prerequisites: Network access to Exchange Server · Exchange Server with vulnerable Autodiscover endpoint
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by dmaasland · remote
https://github.com/dmaasland/proxyshell-poc

This repository contains functional exploit code for CVE-2021-34523 (ProxyShell), demonstrating remote code execution (RCE) against Microsoft Exchange Server. The scripts include enumeration, token generation, and RCE capabilities via PowerShell remoting.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2013, 2016, 2019)
No auth needed
Prerequisites: Network access to vulnerable Exchange server · Python 3.8+ environment
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by ktecv2000 · remote
https://github.com/ktecv2000/ProxyShell

This repository contains a functional exploit for CVE-2021-34523 (ProxyShell), which chains multiple vulnerabilities in Microsoft Exchange Server to achieve unauthenticated remote code execution. The exploit follows a multi-stage attack, including SSRF, SID manipulation, and PowerShell remoting to deploy a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (2013, 2016, 2019)
No auth needed
Prerequisites: Network access to the Exchange Server · Valid email address associated with the target
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza SCANNER
by cyberheartmi9 · remote
https://github.com/cyberheartmi9/Proxyshell-Scanner

This repository contains a scanner for detecting the Proxyshell vulnerability (CVE-2021-34473) in Microsoft Exchange Server. It includes a Python script and a Nuclei template to check for the presence of the vulnerability by sending a crafted HTTP request and checking for specific response headers.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: Network access to the target Exchange Server
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.0
EPSS 0.9400
EPSS Percentile 99.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-08-30
InTheWild.io 2021-08-24
ENISA EUVD EUVD-2021-21177
Ransomware Use Confirmed
Status published
Products (3)
microsoft/exchange_server 2013 cumulative_update_23
microsoft/exchange_server 2016 cumulative_update_19 (2 CPE variants)
microsoft/exchange_server 2019 cumulative_update_8 (2 CPE variants)
Published Jul 14, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026